Don't take it personally but that's one of the most ineffective solutions to any splunk problem I've seen. Don't ever do that.

Not only instead of using splunk's indexes you're scanning all events. You're doing it twice!

For reference -

simple search for the string "error" from my home splunk from _internal index for the last 24 hours

This search has completed and has returned 2,277 results by scanning 2,277 events in 1.846 seconds

The "same" search by listing all events, streamstatsing and then searching:

This search has completed and has returned 2,279 results by scanning 1,155,856 events in 25.172 seconds

I think you can see the difference.

Hi PickleRick,

I greatly appreciate the feedback.  I've gained just enough experience that I want to start contributing back, so no offense taken.

By "source" I had in mind a specific, dated, application log which, in our environment, is quite constrained. Identifying (in our environment) just index and sourcetype would result in a quite broad result set.

I saw your solution, but took the poster's question as a desire for the couple of specific events immediately before and after the found event rather than a range of who-knows-how-many around its _time stamp.

If I had written my answer like the following, would it have been more acceptable?

index=YourIndex sourcetype=YourSourceType | streamstats count as row | eval r=[index=YourIndex sourcetype=YourSourceType | streamstats count as row | search "SpecificSearchCriterionExpectedToReturnOneEvent" | head 1 | return $row] | where row>=r-1 and r<=r+1 | sort -row

Yes, I understand. And - to be honest - I also had similar need once or twice but - honestly - I don't think there's a "good" answer using splunk. It all boils down to the fact that there's no "sequence number" concept in splunk. That's why you either use time as your narrowing factor (which is not very precise as we know) or have to do such ineffective tricks as your solution.

The problem is that while with normal "index=whatever | search filter" splunk can optimize it and perform as if it was done simply as "index=whatever filter". But if you add streamstats, even if splunk could optimize the search just to find the proper result, it still has to look through all events just to count them.

So I suppose there's really no effective way to do that.

Also, there's no effective method not-involving a subsearch (because as you pass down the processing pipe you lose the knowledge about the original data, so you'd have to pass the data further downstream somehow which again means that you'd have to somehow keep a "backlog" of your events).

Thanks for the tip.
It isn't strictly what I was looking for, as it is time-based, rather than event based. So there can be quite a few events during the time I specify -even just a second, but at least it's there.